The Data on (Breached) Data: Chubb Shares Two Decades of Cyber Claims Data

Since 2016, Verizon has annually declined to estimate the average cost of a data breach.  Verizon reasons that since there are many variables that can determine breach cost, there is no reliable “average” data point.  There are, however, identifiable factors that we know impact breach cost, like industry sector, threat actor, number of records, impacted data type etc.  So, the more we know about a particular entity’s risk profile, there better equipped that entity is not only to protect itself but also to predict the potential cost of a breach.

Enter Chubb’s Cyber Risk Index.  It’s 20 years of claims data, organized by industry, annual revenue and time period.  Since industry sector and company size are significant differentiators in the context of data breach analyses, this tool lets companies hone in on meaningful data about the nature and extent of their data breach risk.  And it’s free, whether you’re insured by Chubb or not.

I played with the interactive index a bit and here are a few interesting data points:

  • A tech company with under $10 million in annual revenue has not reported a claim to Chubb in 2014, 2015, 2016 or 2017.  There were likely three claims so far in 2018, two caused by malware and one caused by a social engineering scam, both external threat actors.  Takeaway, insider misuse or error doesn’t appear to be a significant problem for start up and smaller tech companies, like software service providers and developers.
  • In 2018 so far, claims impacting the largest public sector entities ($500M to $1B) were exclusively caused by external threat actors.  On the other end of the spectrum, claims impacting the smallest entities in the public sector (under $100M annual revenue) arose from either internal or unknown causes.  This is a good example of the need to consider not only industry, but entity size in risk profile analysis.
  • The education sector is apparently taking fire from all sides, irrespective of entity size.  For the largest and smallest institutions, breach causes have run the gamut for the past several years, emanating from internal and external causes and taking the form of hacking, social engineering and even physical theft.

The index isn’t perfect.  The most notable missing data relates to the cost of a breach.  When NetDilligence issued its 2015 report studying 160 actual insurance claims, it concluded that the average cost of a breach was approximately $700,000.00.  This is a far cry from the $3-4M routinely reported by Ponemon.  So, a data base like this could really raise some eyebrows (and consciousness) if it shared some cost data.  Likewise, the index doesn’t report the actual number of claims, dealing instead in percentages, which can be misleading (or used to mislead).

Still, Chubb’s willingness to share data for free and in an easy to use interactive interface is a definitive step in the right direction.  The more an entity knows about its risk profile, the better able it is to protect its most valuable data and to make intelligent decisions about insuring against the risk of a breach.